keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

application-credentials.inc
Go to the documentation of this file.
1 .. -*- rst -*-
2 
3 =======================
4 Application Credentials
5 =======================
6 
7 Application credentials provide a way to delegate a user's authorization to an
8 application without sharing the user's password authentication. This is a
9 useful security measure, especially for situations where the user's
10 identification is provided by an external source, such as LDAP or a
11 single-sign-on service. Instead of storing user passwords in config files, a
12 user creates an application credential for a specific project, with all or a
13 subset of the role assignments they have on that project, and then stores the
14 application credential identifier and secret in the config file.
15 
16 Multiple application credentials may be active at once, so you can easily
17 rotate application credentials by creating a second one, converting your
18 applications to use it one by one, and finally deleting the first one.
19 
20 Application credentials are limited by the lifespan of the user that created
21 them. If the user is deleted, disabled, or loses a role assignment on a
22 project, the application credential is deleted.
23 
24 Application credentials can have their privileges limited in two ways. First,
25 the owner may specify a subset of their own roles that the application
26 credential may assume when getting a token for a project. For example, if a
27 user has the ``member`` role on a project, they also have the implied role
28 ``reader`` and can grant the application credential only the ``reader`` role
29 for the project:
30 
31 ::
32 
33  "roles": [
34  {"name": "reader"}
35  ]
36 
37 Users also have the option of delegating more fine-grained access control to
38 their application credentials by using access rules. For example, to create an
39 application credential that is constricted to creating servers in nova, the
40 user can add the following access rules:
41 
42 ::
43 
44  "access_rules": [
45  {
46  "path": "/v2.1/servers",
47  "method": "POST",
48  "service": "compute"
49  }
50  ]
51 
52 The ``"path"`` attribute of application credential access rules uses a wildcard
53 syntax to make it more flexible. For example, to create an application
54 credential that is constricted to listing server IP addresses, you could use
55 either of the following access rules:
56 
57 ::
58 
59  "access_rules": [
60  {
61  "path": "/v2.1/servers/*/ips",
62  "method": "GET",
63  "service": "compute"
64  }
65  ]
66 
67 or equivalently:
68 
69 ::
70 
71  "access_rules": [
72  {
73  "path": "/v2.1/servers/{server_id}/ips",
74  "method": "GET",
75  "service": "compute"
76  }
77  ]
78 
79 In both cases, a request path containing any server ID will match the access
80 rule. For even more flexibility, the recursive wildcard ``**`` indicates that
81 request paths containing any number of ``/`` will be matched. For example:
82 
83 ::
84 
85  "access_rules": [
86  {
87  "path": "/v2.1/**",
88  "method": "GET",
89  "service": "compute"
90  }
91  ]
92 
93 will match any nova API for version 2.1.
94 
95 An access rule created for one application credential can be re-used by providing its ID to another application credential, for example:
96 
97 ::
98 
99  "access_rules": [
100  {
101  "id": "abcdef"
102  }
103  ]
104 
105 Authenticating with an Application Credential
106 =============================================
107 
108 .. rest_method:: POST /v3/auth/tokens
109 
110 To authenticate with an application credential, specify
111 "application_credential" as the auth method. You are not allowed to request a
112 scope, as the scope is retrieved from the application credential.
113 
114 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
115 
116 Request
117 -------
118 
119 Parameters
120 ~~~~~~~~~~
121 
122 .. rest_parameters:: parameters.yaml
123 
124  - identity: identity
125  - methods: auth_methods_application_credential
126  - application_credential: request_application_credential_body_required
127  - id: request_application_credential_auth_id_body_not_required
128  - name: request_application_credential_auth_name_body_not_required
129  - secret: request_application_credential_auth_secret_body_required
130  - user: request_application_credential_user_body_not_required
131 
132 Example
133 ~~~~~~~
134 
135 An application credential can be identified by an ID:
136 
137 .. literalinclude:: samples/admin/auth-application-credential-id-request.json
138  :language: javascript
139 
140 It can also be identified by its name and a user object:
141 
142 .. literalinclude:: samples/admin/auth-application-credential-name-request.json
143  :language: javascript
144 
145 Response
146 --------
147 
148 Parameters
149 ~~~~~~~~~~
150 
151 .. rest_parameters:: parameters.yaml
152 
153  - X-Subject-Token: X-Subject-Token
154  - domain: domain
155  - methods: auth_methods
156  - user: user
157  - token: token
158  - expires_at: expires_at
159  - project: project
160  - catalog: catalog
161  - roles: roles
162  - audit_ids: audit_ids
163  - issued_at: issued_at
164  - id: user_id
165  - name: user_name
166  - application_credential_restricted: auth_application_credential_restricted_body
167 
168 Example
169 ~~~~~~~
170 
171 .. literalinclude:: samples/admin/auth-application-credential-response.json
172  :language: javascript
173 
174 A token created with an application credential will have the scope and roles
175 designated by the application credential.
176 
177 Create application credential
178 =============================
179 
180 .. rest_method:: POST /v3/users/{user_id}/application_credentials
181 
182 Creates an application credential for a user on the project to which the
183 current token is scoped.
184 
185 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials``
186 
187 Request
188 -------
189 
190 Parameters
191 ~~~~~~~~~~
192 
193 .. rest_parameters:: parameters.yaml
194 
195  - user_id: request_application_credential_user_id_path_required
196  - application_credential: request_application_credential_body_required
197  - name: request_application_credential_name_body_required
198  - secret: request_application_credential_secret_body_not_required
199  - description: request_application_credential_description_body_not_required
200  - expires_at: request_application_credential_expires_at_body_not_required
201  - roles: request_application_credential_roles_body_not_required
202  - unrestricted: request_application_credential_unrestricted_body_not_required
203  - access_rules: request_application_credential_access_rules_body_not_required
204 
205 Example
206 ~~~~~~~
207 
208 .. literalinclude:: samples/admin/application-credential-create-request.json
209  :language: javascript
210 
211 Response
212 --------
213 
214 .. rest_status_code:: success status.yaml
215 
216  - 201
217 
218 .. rest_status_code:: error status.yaml
219 
220  - 400
221  - 401
222  - 403
223  - 404
224  - 409
225 
226 Parameters
227 ~~~~~~~~~~
228 
229 .. rest_parameters:: parameters.yaml
230 
231  - application_credential: response_application_credential_body
232  - id: response_application_credential_id_body
233  - name: response_application_credential_name_body
234  - secret: response_application_credential_secret_body
235  - description: response_application_credential_description_body
236  - expires_at: response_application_credential_expires_at_body
237  - project_id: response_application_credential_project_id_body
238  - roles: response_application_credential_roles_body
239  - access_rules: response_application_credential_access_rules_body
240  - unrestricted: response_application_credential_unrestricted_body
241  - links: link_response_body
242 
243 Example
244 ~~~~~~~
245 
246 .. literalinclude:: samples/admin/application-credential-create-response.json
247  :language: javascript
248 
249 List application credentials
250 =============================
251 
252 .. rest_method:: GET /v3/users/{user_id}/application_credentials
253 
254 List all application credentials for a user.
255 
256 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials``
257 
258 Request
259 -------
260 
261 Parameters
262 ~~~~~~~~~~
263 
264 .. rest_parameters:: parameters.yaml
265 
266  - user_id: request_application_credential_user_id_path_required
267  - name: request_application_credential_name_query_not_required
268 
269 Response
270 --------
271 
272 .. rest_status_code:: success status.yaml
273 
274  - 200
275 
276 .. rest_status_code:: error status.yaml
277 
278  - 401
279  - 403
280  - 404
281 
282 Parameters
283 ~~~~~~~~~~
284 
285 .. rest_parameters:: parameters.yaml
286 
287  - application_credential: response_application_credential_body
288  - id: response_application_credential_id_body
289  - name: response_application_credential_name_body
290  - description: response_application_credential_description_body
291  - expires_at: response_application_credential_expires_at_body
292  - project_id: response_application_credential_project_id_body
293  - roles: response_application_credential_roles_body
294  - access_rules: response_application_credential_access_rules_body
295  - unrestricted: response_application_credential_unrestricted_body
296  - links: link_collection
297 
298 Example
299 ~~~~~~~
300 
301 .. literalinclude:: samples/admin/application-credential-list-response.json
302  :language: javascript
303 
304 Show application credential details
305 ===================================
306 
307 .. rest_method:: GET /v3/users/{user_id}/application_credentials/{application_credential_id}
308 
309 Show details of an application credential.
310 
311 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials``
312 
313 Request
314 -------
315 
316 Parameters
317 ~~~~~~~~~~
318 
319 .. rest_parameters:: parameters.yaml
320 
321  - user_id: request_application_credential_user_id_path_required
322  - application_credential_id: request_application_credential_id_path_required
323 
324 Response
325 --------
326 
327 .. rest_status_code:: success status.yaml
328 
329  - 200
330 
331 .. rest_status_code:: error status.yaml
332 
333  - 401
334  - 403
335  - 404
336 
337 Parameters
338 ~~~~~~~~~~
339 
340 .. rest_parameters:: parameters.yaml
341 
342  - application_credential: response_application_credential_body
343  - id: response_application_credential_id_body
344  - name: response_application_credential_name_body
345  - description: response_application_credential_description_body
346  - expires_at: response_application_credential_expires_at_body
347  - project_id: response_application_credential_project_id_body
348  - roles: response_application_credential_roles_body
349  - access_rules: response_application_credential_access_rules_body
350  - unrestricted: response_application_credential_unrestricted_body
351  - links: link_response_body
352 
353 Example
354 ~~~~~~~
355 
356 .. literalinclude:: samples/admin/application-credential-get-response.json
357  :language: javascript
358 
359 Delete application credential
360 =============================
361 
362 .. rest_method:: DELETE /v3/users/{user_id}/application_credentials/{application_credential_id}
363 
364 Delete an application credential.
365 
366 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials``
367 
368 Request
369 -------
370 
371 Parameters
372 ~~~~~~~~~~
373 
374 .. rest_parameters:: parameters.yaml
375 
376  - user_id: request_application_credential_user_id_path_required
377  - application_credential_id: request_application_credential_id_path_required
378 
379 Response
380 --------
381 
382 .. rest_status_code:: success status.yaml
383 
384  - 204
385 
386 .. rest_status_code:: error status.yaml
387 
388  - 401
389  - 403
390  - 404
391 
392 List access rules
393 =================
394 
395 .. rest_method:: GET /v3/users/{user_id}/access_rules
396 
397 List all access rules for a user.
398 
399 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/access_rules``
400 
401 Request
402 -------
403 
404 Parameters
405 ~~~~~~~~~~
406 
407 .. rest_parameters:: parameters.yaml
408 
409  - user_id: request_access_rule_user_id_path_required
410 
411 Response
412 --------
413 
414 .. rest_status_code:: success status.yaml
415 
416  - 200
417 
418 .. rest_status_code:: error status.yaml
419 
420  - 401
421  - 403
422  - 404
423 
424 Parameters
425 ~~~~~~~~~~
426 
427 .. rest_parameters:: parameters.yaml
428 
429  - access_rules: response_access_rules_body
430  - id: response_access_rules_id_body
431  - path: response_access_rules_path_body
432  - method: response_access_rules_method_body
433  - service: response_access_rules_service_body
434  - links: link_collection
435 
436 Example
437 ~~~~~~~
438 
439 .. literalinclude:: samples/admin/access-rules-list-response.json
440  :language: javascript
441 
442 Show access rule details
443 ========================
444 
445 .. rest_method:: GET /v3/users/{user_id}/access_rules/{access_rule_id}
446 
447 Show details of an access rule.
448 
449 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/access_rules``
450 
451 Request
452 -------
453 
454 Parameters
455 ~~~~~~~~~~
456 
457 .. rest_parameters:: parameters.yaml
458 
459  - user_id: request_access_rule_user_id_path_required
460  - access_rule_id: request_access_rule_id_path_required
461 
462 Response
463 --------
464 
465 .. rest_status_code:: success status.yaml
466 
467  - 200
468 
469 .. rest_status_code:: error status.yaml
470 
471  - 401
472  - 403
473  - 404
474 
475 Parameters
476 ~~~~~~~~~~
477 
478 .. rest_parameters:: parameters.yaml
479 
480  - access_rules: response_access_rules_body
481  - id: response_access_rules_id_body
482  - path: response_access_rules_path_body
483  - method: response_access_rules_method_body
484  - service: response_access_rules_service_body
485  - links: link_collection
486 
487 Example
488 ~~~~~~~
489 
490 .. literalinclude:: samples/admin/access-rule-get-response.json
491  :language: javascript
492 
493 Delete access rule
494 ==================
495 
496 .. rest_method:: DELETE /v3/users/{user_id}/access_rules/{access_rule_id}
497 
498 Delete an access rule. An access rule that is still in use by an application
499 credential cannot be deleted.
500 
501 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/access_rules``
502 
503 Request
504 -------
505 
506 Parameters
507 ~~~~~~~~~~
508 
509 .. rest_parameters:: parameters.yaml
510 
511  - user_id: request_access_rule_user_id_path_required
512  - access_rule_id: request_access_rule_id_path_required
513 
514 Response
515 --------
516 
517 .. rest_status_code:: success status.yaml
518 
519  - 204
520 
521 .. rest_status_code:: error status.yaml
522 
523  - 401
524  - 403
525  - 404
keystone.conf.auth.password
password
Definition: auth.py:30
keystone.conf.ldap.user
user
Definition: ldap.py:27